Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
3-70
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
String Block Type
uint32
Initiates a String data block containing the URI. This value
is always
is always
0
.
String Block Length
uint32
The number of bytes included in the URI data block,
including eight bytes for the block type and header fields
plus the number of bytes in the URI field.
including eight bytes for the block type and header fields
plus the number of bytes in the URI field.
URI
string
URI of the connection.
Source Port
uint16
Port number for the source of the connection.
Destination Port
uint16
Port number for the destination of the connection.
Source Country
uint16
Code for the country of the source host.
Destination Country
uint 16
Code for the country of the destination host.
Web Application ID
uint32
The internal identification number of the detected web
application, if applicable.
application, if applicable.
Client Application ID
uint32
The internal identification number of the detected client
application, if applicable.
application, if applicable.
Action
uint8
The action taken on the file based on the file type. Can have
the following values:
the following values:
•
1
- Detect
•
2
- Block
•
3
- Malware Cloud Lookup
•
4
- Malware Block
•
5
- Malware Whitelist
•
6
- Cloud Lookup Timeout
•
7
- Custom Detection
•
8
- Custom Detection Block
Protocol
uint8
IANA protocol number specified by the user. For example:
•
1
- ICMP
•
4
- IP
•
6
- TCP
•
17
- UDP
This is currently only TCP.
Threat Score
uint8
A numeric value from
0
to
100
based on the potentially
malicious behaviors observed during dynamic analysis.
IOC Number
uint16
ID number of the compromise associated with this event.
Security Context
uint8(16)
ID number for the security context (virtual firewall) that the
traffic passed through. Note that the system only populates
this field for ASA FirePOWER devices in multi-context
mode.
traffic passed through. Note that the system only populates
this field for ASA FirePOWER devices in multi-context
mode.
Table 3-38
Malware Event Data Block for 5.3.1+ Fields (continued)
Field
Data Type
Description